The California Legislature has passed Assembly Bill 713, which amends the California Consumer Privacy Act.
Although the bill, passed on September 5, has the primary and helpful effect of largely exempting US Health Insurance Portability and Accountability Act deidentified information from the CCPA, AB 713 also regulates deidentified information in a novel way that departs from the mostly hands-off approach to such datasets adopted by federal and state regulators. As has been the case with many of the CCPA’s heavily negotiated compromises, the bill will require affected entities to update both their privacy policies and contracts.
Significantly, AB 713 has an emergency clause that means it will go into immediate effect once the governor has signed the bill by September 30, as it recognizes that the CCPA negatively impacts research and that “the provisions of this act would mitigate that harm as soon as possible.”
As businesses begin planning for the California Privacy Rights Act ballot initiative, which significantly amends but does not replace the CCPA, there is some comfort in the fact that AB 713 does not directly conflict with CPRA’s provisions, meaning that AB 713’s requirements are likely to remain in force past 2022, regardless of whether the CPRA is approved by the voters this November.
When it took effect this year, the CCPA contained health sector exemptions for (1) medical information regulated by the California Confidentiality of Medical Information Act and Protected Health Information regulated by HIPAA (Public Law 104–191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111–5) – (but not deidentified information which is not PHI-regulated by these laws); (2) healthcare providers and covered entities; and (3) some, but by no means all, types of research data. The CCPA also contained a second narrow research exemption – only from the data deletion requirement in the statute (Cal. Civ. Code 1798.105(d)(6)).
Exemption of HIPAA deidentified information
The most significant outcome of AB 713’s passage is that, pending Governor Gavin Newson’s signature, information that is deidentified is exempt from regulation under the CCPA if the information is (1) derived from patient information that is protected under HIPAA, the California Confidentiality of Medical Information Act, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule; and (2) created pursuant to either the HIPAA expert determination method or the HIPAA Safe Harbor method.
While the CCPA exempts deidentified information as defined in Cal. Civ. Code 1798.140(h) that definition did not align with the HIPAA deidentification standard, which led to confusion regarding the applicability and scope of the exemption.
Importantly, AB 713 exempts this information only so long as the information is deidentified. If it is reidentified within the meaning of HIPAA, the CCPA would apply again. While the bill sets forth exceptions to this rule, the bill generally prohibits the CCPA covered business or any other entity from reidentifying or attempting to reidentify the information.
The term “reidentify” is defined very broadly to mean “the process of reversal of deidentification techniques, including, but not limited to, the addition of specific pieces of information or data elements that can, individually or in combination, be used to uniquely identify an individual or usage of any statistical method, contrivance, computer software, or other means that have the effect of associating deidentified information with a specific identifiable individual.” One issue raised by the definition is whether and how companies will be able to enhance datasets without triggering the prohibition.
New notice requirements for HIPAA deidentified information
New contract requirements for sale or licensing of HIPAA deidentified information
If HIPAA deidentified information is sold or licensed after January 1, 2021 to or by a party doing business in California, the contract must include provisions to the following effect:
- A statement that the deidentified information being sold (or licensed) includes deidentified patient information
- A statement that reidentification (or attempted reidentification) is prohibited
- A statement that unless required by law, the purchaser of the information may not further disclose the deidentified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.
These restrictions preventing downstream reidentification of health data that is deidentified and sold or licensed are novel and differ from HIPAA requirements. However, they do not prevent widespread use of deidentified data or impose technical requirements. Nonetheless, they will impose contract compliance burdens on many businesses that have historically been able to freely monetize what were previously largely unregulated datasets.
Broader exemptions for research and HIPAA business associates
The exemption for deidentified datasets is in a new Section 1798.146. In addition, there are exemptions, among others, for:
- Business associates governed by the privacy, security and breach rules of HIPAA and HITECH to the extent the business associate maintains, uses and discloses patient information in the same manner as Medical Information under the CMIA or PHI under HIPAA
- Information collected, used or disclosed in research, including but not limited to clinical trial information, conducted in accordance with applicable ethics, confidentiality privacy and security rules of HIPAA, the Common Rule, International Council for Harmonisation guidelines, or human subject protection requirements of the Food and Drug Administration.
The business associate exemption creates a new exemption for business associates that is parallel to the 2018 CCPA healthcare provider exemption in Section 1798.145(c)(1)(B). It covers not just PHI, but also the processing of a wide range of “patient information,” as long as it is protected in the same manner as medical information or PHI. As a result, acting as a HIPAA business associate in one context (eg, data hosting provider of a HIPAA-covered entity) may have far-reaching implications under the CCPA even in situations when the entity is not serving as a business associate (eg, data hosting for a direct to consumer medical mobile application), as long as the information is protected as PHI or medical information.
The exemption for research extends beyond clinical trials subject to the Common Rule, ICH guidelines or FDA human subject requirements that are covered by the existing research exemption to reach a much broader universe of research, potentially aiding in the worldwide effort to find a vaccine to protect against coronavirus disease 2019 (COVID-19). For example, the exemption would exempt real-world evidence collection and analysis that involves a review of existing medical records –including electronic health records – only, and not clinical interventions, which are the subject of clinical trials, as long as it is subject to one of the four frameworks specified in the exemption. These frameworks include HIPAA, in addition to the three cited in the existing, more limited exemption.
AB 713 in some respects simplifies healthcare sector compliance with the CCPA, particularly as to medical research, for business associates and for entities that use deidentified health data. At the same time, it imposes new notice requirements and contracting requirements for California entities that sell or license deidentified health information and bars reidentification of that data by recipients that raises additional operational and legal issues.
An earlier version of this article appeared in the IAPP Daily Digest on September 22, 2020.